----- Original Message -----
From: Gabriel Belingueres <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 27, 1999 3:04 PM
Subject: Re: Web Traffic Analysis
> > 2. Doing internet banking?
> > Can you gain relevant information using statistical analysis?
> > You possibly find out that someone did a wired transfer. But
> > (if the system is designed well) you don't know who.
>
> If the attacker have an account in the same bank, so he/she can retrieve
> at least one time those html files protected with HTTPS, then could know
> what kind of transactions or queries the client is doing.
> Who? Very probably, the bank is using strong crypto (RC4 with 128 bits
> of key, for example), and maybe the bank give to him/her a free
> certificate for being a customer (I don't know if any bank in the world
> have this service, but would be nice anyway :).
> As the SSL handshake message Certificate travels in the clear, the
> attacker may have a good chance of know who did the transactions. Even,
> worst, because the SSL handshake is previous to the web transactions,
> the attacker even could decide to mount an active attack against that
> customer, or not.
Bad implementation. That's not the problem.
> > Would it be possible to add a compression layer with different
compression
> > levels?
>
> Do you mean in SSL and TLS implementations? or the protocol we are
> discussing now?
> Anyway, I don't know much about compression, but I think it must be a
> "one-to-one" method.
TLS has a compression layer but no compression algorithms are defined up to
now. This specific "against traffic analysis compression algorithm" may
compress or pad messages. I think that's the best idea. Impementing an
additional protocol (as you suggest) is too complicated and no one will
implement it.
The idea with the escape code is good but not practical. A few weeks ago
I suggested to add additional data in the client hello for solving the
"draft-ietf-tls-http-upgrade-02.txt" problem without success.
Your issue can be solved with the compression layer. The upgrading
problem really needs the additional data.
Regards Rene
--
-----------------------------------------------------------
Rene G. Eberhard
Mail : [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
